Apache X-Frame-Options Allow-From multiple domains

It's worth noting that ALLOW-FROM is being removed from Firefox 70, and other browsers are likely to follow. You will want to use CSP's frame-ancestors directive instead, which is supported in about 95% of browsers.

Your example would then be:

Header always append Content-Security-Policy "frame-ancestors site1 site2 site3;"

EDIT: frame-ancestors overwrites X-FRAME-OPTIONS in new browsers, so theroetically you could set a value for old browsers in there and have CSP overwrite it in new browsers, but the problem is that there is no X-FRAME-OPTIONS value that will let you be embedded in multiple webpages. The only valid options are deny (not allowed anywhere), sameorigin (your website only) and allow-from (removed from modern browsers, only allowed one site anyway).

The old X-FRAME-OPTIONS value that you want to overwrite is none at all. That will allow you to embed your site in multiple other sites (all of them) and restrict it to the sites you allow in modern browsers.

If not embedding in disallowed sites is more important than embedding in allowed sites, then combine the above with:

Header always append X-Frame-Options "DENY"

That will prevent your site being embedded in all sites in about 3% of browsers, shown only in the allowed sites in 95% of browsers, and shown everywhere in the remaining 2% (even X-FRAME-OPTIONS isn't supported everywhere).


EDIT 17/01/2018 : This is what is correct :

Header set X-Frame-Options SAMEORIGIN
Header append X-Frame-Options "ALLOW-FROM http://www.example.com/"  
Header append X-Frame-Options "ALLOW-FROM http://example.com/"
Header append X-Frame-Options "ALLOW-FROM https://www.example.com/"
Header append X-Frame-Options "ALLOW-FROM https://example.com/"

So basicaly you only allow iframes from your site (SAMEORIGIN) and you specify with an "append" a list of allowed url. if you don't add the "append" each line will overwrite the previous one.

This actually works with internet explorer 11, doesn't work in Firefox 57, and is ignored by Chrome...

testing with https://securityheaders.io will not give you a "A" because they can't handle multiple uri

We couldn't detect a valid configuration. Expected values are "DENY", "SAMEORIGIN", "ALLOW-FROM (URL)" and "ALLOWALL".

Another possibility which seems to work in IE11 and Firefox is :

 Header always set X-Frame-Options "ALLOW-FROM https://www.example.fr/ https://example.fr/ http://www.example.fr/ http://example.fr/"

It gives a "A" when you check the result with https://securityheaders.io

By the way i'm wondering what's the point of using a security setting that you can bypass using the most used browser in the world (Chrome) ??


SetEnvIf Referer "^(https:\/\/.*\.example1\.com)/.*" X_FRAME_OPTIONS_ALLOWED=$1
SetEnvIf Referer "^(https:\/\/.*\.example2\.com)/.*" X_FRAME_OPTIONS_ALLOWED=$1

Header set X-Frame-Options SAMEORIGIN
Header append X-Frame-Options "ALLOW-FROM %{X_FRAME_OPTIONS_ALLOWED}e" env=X_FRAME_OPTIONS_ALLOWED`